Cisco Cisco Web Security Appliance S160 Guía Del Usuario

The NT Lan Manager (NTLM) authenticates users with an encrypted challenge-response sequence that 
occurs between the appliance and a Microsoft Windows domain controller. The NTLM 
challenge-response handshake occurs when a web browser attempts to connect to the appliance and 
before data is delivered. 

When you configure an NTLM authentication realm, you do not specify the authentication scheme. 
Instead, you choose the scheme at the Access Policy group level when you configure the policy member 
definition. This allows you to choose different schemes for different policy groups. When you create or 
edit the policy group, you can choose one of the following schemes:

Use NTLMSSP

Use Basic or NTLMSSP

Use Basic

AsyncOS for Web only supports 7-bit ASCII characters for passwords when using the Basic 
authentication scheme. Basic authentication fails when the password contains characters that are not 
7-bit ASCII.

AsyncOS allows you to create only one NTLM authentication realm. If your organization has multiple 
Active Directory domains, you can authenticate users in all domains if the following conditions exist:

Attribute that Contains 
the Group Name

When the group membership attribute is a DN, this specifies the attribute that 
can be used as group name in policy group configurations.

Choose one of the following values:

cn. A unique identifier in the LDAP directory that specifies the name of 
a group.

custom. A custom identifier such as 

FinanceGroup

.

Query String to 
Determine if Object is 
a Group

Choose an LDAP search filter that determines if an LDAP object represents a 
user group.

Choose one of the following values:

objectclass=groupofnames 

objectclass=groupofuniquenames 

objectclass=group 

custom. A custom filter such as 

objectclass=person

.

Note: The query defines the set of authentication groups which can be used 
in Web Security Manager policies.